diff options
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/main.c | 7 | ||||
| -rw-r--r-- | src/firejail/run_symlink.c | 17 | ||||
| -rw-r--r-- | src/lib/firejail_user.c | 11 | ||||
| -rw-r--r-- | src/man/firejail-users.txt | 6 |
5 files changed, 24 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2746deea1..0df832c09 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -671,7 +671,7 @@ void fs_logger_change_owner(void); | |||
| 671 | void fs_logger_print_log(pid_t pid); | 671 | void fs_logger_print_log(pid_t pid); |
| 672 | 672 | ||
| 673 | // run_symlink.c | 673 | // run_symlink.c |
| 674 | void run_symlink(int argc, char **argv); | 674 | void run_symlink(int argc, char **argv, int run_as_is); |
| 675 | 675 | ||
| 676 | // paths.c | 676 | // paths.c |
| 677 | char **build_paths(void); | 677 | char **build_paths(void); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1a37aca2f..9a013989a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -239,12 +239,15 @@ static void init_cfg(int argc, char **argv) { | |||
| 239 | } | 239 | } |
| 240 | cfg.cwd = getcwd(NULL, 0); | 240 | cfg.cwd = getcwd(NULL, 0); |
| 241 | 241 | ||
| 242 | // chack user database | 242 | // check user database |
| 243 | if (!firejail_user_check(cfg.username)) { | 243 | if (!firejail_user_check(cfg.username)) { |
| 244 | fprintf(stderr, "Error: the user is not allowed to use Firejail. " | 244 | fprintf(stderr, "Error: the user is not allowed to use Firejail. " |
| 245 | "Please add the user in %s/firejail.users file, " | 245 | "Please add the user in %s/firejail.users file, " |
| 246 | "either by running \"sudo firecfg\", or by editing the file directly.\n" | 246 | "either by running \"sudo firecfg\", or by editing the file directly.\n" |
| 247 | "See \"man firejail-users\" for more details.\n", SYSCONFDIR); | 247 | "See \"man firejail-users\" for more details.\n", SYSCONFDIR); |
| 248 | |||
| 249 | // attempt to run the program as is | ||
| 250 | run_symlink(argc, argv, 1); | ||
| 248 | exit(1); | 251 | exit(1); |
| 249 | } | 252 | } |
| 250 | 253 | ||
| @@ -914,7 +917,7 @@ int main(int argc, char **argv) { | |||
| 914 | 917 | ||
| 915 | // check argv[0] symlink wrapper if this is not a login shell | 918 | // check argv[0] symlink wrapper if this is not a login shell |
| 916 | if (*argv[0] != '-') | 919 | if (*argv[0] != '-') |
| 917 | run_symlink(argc, argv); // if symlink detected, this function will not return | 920 | run_symlink(argc, argv, 0); // if symlink detected, this function will not return |
| 918 | 921 | ||
| 919 | // check if we already have a sandbox running | 922 | // check if we already have a sandbox running |
| 920 | // If LXC is detected, start firejail sandbox | 923 | // If LXC is detected, start firejail sandbox |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 5d59afad4..2bb4a2ed7 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
| @@ -22,7 +22,7 @@ | |||
| 22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
| 23 | #include <unistd.h> | 23 | #include <unistd.h> |
| 24 | 24 | ||
| 25 | void run_symlink(int argc, char **argv) { | 25 | void run_symlink(int argc, char **argv, int run_as_is) { |
| 26 | EUID_ASSERT(); | 26 | EUID_ASSERT(); |
| 27 | 27 | ||
| 28 | char *program = strrchr(argv[0], '/'); | 28 | char *program = strrchr(argv[0], '/'); |
| @@ -33,6 +33,12 @@ void run_symlink(int argc, char **argv) { | |||
| 33 | if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting | 33 | if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting |
| 34 | return; | 34 | return; |
| 35 | 35 | ||
| 36 | // drop privileges | ||
| 37 | if (setgid(getgid()) < 0) | ||
| 38 | errExit("setgid/getgid"); | ||
| 39 | if (setuid(getuid()) < 0) | ||
| 40 | errExit("setuid/getuid"); | ||
| 41 | |||
| 36 | // find the real program by looking in PATH | 42 | // find the real program by looking in PATH |
| 37 | char *p = getenv("PATH"); | 43 | char *p = getenv("PATH"); |
| 38 | if (!p) { | 44 | if (!p) { |
| @@ -84,20 +90,13 @@ void run_symlink(int argc, char **argv) { | |||
| 84 | free(selfpath); | 90 | free(selfpath); |
| 85 | 91 | ||
| 86 | // desktop integration is not supported for root user; instead, the original program is started | 92 | // desktop integration is not supported for root user; instead, the original program is started |
| 87 | if (getuid() == 0) { | 93 | if (getuid() == 0 || run_as_is) { |
| 88 | argv[0] = program; | 94 | argv[0] = program; |
| 89 | execv(program, argv); | 95 | execv(program, argv); |
| 90 | exit(1); | 96 | exit(1); |
| 91 | } | 97 | } |
| 92 | 98 | ||
| 93 | // start the argv[0] program in a new sandbox | 99 | // start the argv[0] program in a new sandbox |
| 94 | // drop privileges | ||
| 95 | if (setgid(getgid()) < 0) | ||
| 96 | errExit("setgid/getgid"); | ||
| 97 | if (setuid(getuid()) < 0) | ||
| 98 | errExit("setuid/getuid"); | ||
| 99 | |||
| 100 | // run command | ||
| 101 | char *a[3 + argc]; | 100 | char *a[3 + argc]; |
| 102 | a[0] =PATH_FIREJAIL; | 101 | a[0] =PATH_FIREJAIL; |
| 103 | a[1] = program; | 102 | a[1] = program; |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 7d9784392..09a4da0e7 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
| @@ -28,6 +28,7 @@ | |||
| 28 | #include "../include/common.h" | 28 | #include "../include/common.h" |
| 29 | #include <sys/types.h> | 29 | #include <sys/types.h> |
| 30 | #include <pwd.h> | 30 | #include <pwd.h> |
| 31 | #include "../../uids.h" | ||
| 31 | 32 | ||
| 32 | #define MAXBUF 4098 | 33 | #define MAXBUF 4098 |
| 33 | static inline char *get_fname(void) { | 34 | static inline char *get_fname(void) { |
| @@ -41,15 +42,13 @@ static inline char *get_fname(void) { | |||
| 41 | int firejail_user_check(const char *name) { | 42 | int firejail_user_check(const char *name) { |
| 42 | assert(name); | 43 | assert(name); |
| 43 | 44 | ||
| 44 | // root allowed by default | 45 | // root is allowed to run firejail by default |
| 45 | if (strcmp(name, "root") == 0) | 46 | if (strcmp(name, "root") == 0) |
| 46 | return 1; | 47 | return 1; |
| 47 | 48 | ||
| 48 | // user nobody disabled by default | 49 | // other system users will run the program as is |
| 49 | if (strcmp(name, "nobody") == 0) { | 50 | if (getuid() < UID_MIN || strcmp(name, "nobody") == 0) |
| 50 | fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n"); | 51 | return 0; |
| 51 | exit(1); | ||
| 52 | } | ||
| 53 | 52 | ||
| 54 | // check file existence | 53 | // check file existence |
| 55 | char *fname = get_fname(); | 54 | char *fname = get_fname(); |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index ec91e495c..c29de0705 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
| @@ -5,7 +5,11 @@ firejail.users \- Firejail user access database | |||
| 5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
| 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
| 7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | If the file is not present in the system, all users are allowed to use the sandbox. |
| 8 | root user is allowed by default, user nobody is denied access by default. | 8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value |
| 9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
| 10 | |||
| 11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | ||
| 12 | program without sandboxing it. | ||
| 9 | 13 | ||
| 10 | Example: | 14 | Example: |
| 11 | 15 | ||